SANS ISC InfoSec Forums

We have received reports from our readers that previously Microsoft Update, MBSA 2.0, and ITMU may not indicate the need to install additional package for this security update if you have Microsoft XML Core Services 4.0 SP2 (but MBSA 1.2.1 did). However, it seems that Microsoft has updated the scan files and is now able to detect the need of additional package.

From Microsoft Knowledge Base article number (924191):If you have multiple versions of the Microsoft XML Parser or Microsoft XML Core Services (MSXML) installed, you may have to install multiple packages for this security update. Additionally, if you install a version of MSXML after you install this security update, you may have to install an additional package for this security update.

One of our reader suspected the MBSA 2.0, Microsoft Update and ITMU are only considering the patch to be applicable if the MSXML4.DLL was installed as part of a MSI package for XML 4.0:

Microsoft's patch detection code for Microsoft Update as of 4 PM ADT 10/13/2006 wasn't detecting MSXML4 SP2 if it was installed via the merge module (i.e. as the result of installing a third party product that redistributed Microsoft's code using the Microsoft-approved method for doing this). Sometime between then and now, Microsoft updated the scan files. In the original scan files (released on Tuesday), Microsoft would only consider the patch applicable if the MSI version of MSXML4 SP2 was installed.

The new scan files work around this - they still detect language-specific variants of the MSI if they are installed (and generate unique UpdateIDs for those variants), but if no MSI is installed it will fallback to the UpdateID that was used in the original scan files if (and only if) the 1033 (i.e. US English) version of the MSI was installed.

In this aspect, it is recommended that you rescan your systems to determine whether you need any additional patch that was not reported earlier.